Ninja Forms Exploit: Unauthenticated RCE Threatens WordPress Sites

A critical vulnerability, tracked as CVE-2026-0740, is actively being exploited in the Ninja Forms File Uploads premium add-on for WordPress. This flaw allows unauthenticated attackers to upload arbitrary files, including malicious PHP scripts, directly onto a targeted server. The issue stems from a failure to properly validate file types and extensions on the destination filename, enabling attackers to bypass security checks and execute code remotely. Wordfence, a prominent WordPress security firm, reported blocking over 3,600 such attacks in a single 24-hour period, highlighting the immediate danger.

This vulnerability affects Ninja Forms File Upload versions up to 3.3.26 and carries a severe CVSS score of 9.8. The lack of filename sanitization also permits path traversal, allowing uploaded files to be placed in sensitive directories, potentially even the webroot. This opens the door for attackers to not only upload malicious code but also to execute it, compromising the entire WordPress installation. Given that Ninja Forms has over 600,000 downloads and its File Upload extension is used by 90,000 customers, the attack surface is significant.

What This Means For You

Given the active exploitation and unauthenticated nature of this critical RCE vulnerability in a widely used WordPress plugin, organizations should immediately audit their WordPress installations for the Ninja Forms File Uploads add-on and update to a patched version. If patching isn't feasible, consider temporarily disabling the File Upload functionality or implementing stricter Web Application Firewall (WAF) rules to block suspicious upload attempts targeting the plugin.

What This Means For You

Related coverage

CISA Opens KEV Catalog to External Vulnerability Reports

Ghostwriter Targets Ukraine Government with Prometheus Phishing

Huawei Router Flaw Triggered Telecom Blackout, SecurityWeek Reports